Thad Floryan
2014-04-09 05:42:24 UTC
We all know Yahoo is a company that prides itself on hiring H1-B Visa
clowns who are totally incompetent. Wihness the destruction of Yahoo
Groups' message archives and the dumbed-down and nearly unusable NEO
interface that infected Yahoo Groups mid-August 2013. And, of course,
Yahoo Email is one of the longest-running jokes on Earth far surpassing
AOL's clown circus. You'd be well-advised to abandon Yahoo and Yahoo
Mail immediately.
Another article from ARS Technica entitled:
Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
is here:
http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/
Lest readers think "catastrophic" is too exaggerated a description for
the critical defect affecting an estimated two-thirds of the Internet's
Web servers, consider this: at the moment this article was being
prepared, the so-called Heartbleed bug was exposing end-user passwords,
the contents of confidential e-mails, and other sensitive data belonging
to Yahoo Mail and almost certainly countless other services.
The two-year-old bug is the result of a mundane coding error in OpenSSL,
the world's most popular code library for implementing HTTPS encryption
in websites, e-mail servers, and applications. The result of a missing
bounds check in the source code, Heartbleed allows attackers to recover
large chunks of private computer memory that handle OpenSSL
processes. The leak is the digital equivalent of a grab bag that hackers
can blindly reach into over and over simply by sending a series of
commands to vulnerable servers. The returned contents could include
something as banal as a time stamp, or it could return far more valuable
assets such as authentication credentials or even the private key at the
heart of a website's entire cryptographic certificate.
Underscoring the urgency of the problem, a conservatively estimated
two-thirds of the Internet's Web servers use OpenSSL to
cryptographically prove their legitimacy and to protect passwords and
other sensitive data from eavesdropping. Many more e-mail servers and
end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant
messages, and other sensitive data. OpenSSL developers have released
version 1.0.1g that readers should install immediately on any vulnerable
machines they maintain. But given the stakes and the time it takes to
update millions of servers, the risks remain high. Enter Yahoo Mail
For an idea of the type of information that remains available to anyone
who knows how to use open source tools like this one, just consider
Yahoo Mail, the world's most widely used Web mail service. The images
below were recovered by Mark Loman, a malware and security researcher
with no privileged access to Yahoo Mail servers. The plaintext passwords
appearing in them have been obscured to protect the Yahoo Mail users
they belong to, a courtesy not everyone exploiting this vulnerability is
likely to offer. To retrieve them, Loman sent a series of requests to
servers running Yahoo Mail at precisely the same time as the credentials
just happened to be stored—Russian roulette-style—in Yahoo memory.
Hackers can repeat the process over and over on unpatched servers and
then use freely available software to scan the results for all kinds of
sensitive data. In theory, attackers may also be able to query client
machines running OpenSSL-powered software to retrieve large chunks of
sensitive memory, too. (Private) keys to the kingdom
The huge number of servers running software vulnerable to Heartbleed
exploits isn't the only thing that makes patching difficult. That's
because one of the crucially sensitive pieces of information potentially
exposed by the vulnerability is the private key that corresponds to a
website's digital certificate. Attackers who get access to the private
key can use it to impersonate a site even after the OpenSSL patch is
applied. What's more, for sites that don't use a cryptographic property
known as perfect forward secrecy, attackers might be able to use the key
to decrypt data already sent. And of course, any sensitive data
transmitted between the time the flaw was discovered and when it was
patched remains potentially compromised.
All of this means that applying the OpenSSL patch is only the starting
point on the multi-step path of Heartbleed recovery. Website operators
should strongly consider replacing their X.509 certificates after
applying the update and getting all users and administrators to change
passwords as well. While it's possible that none of this data has been
compromised, there's no way to rule it out, either.
It's probably premature for users to replace passwords across the board,
but for sites they know have received the OpenSSL patch, it may be a
good idea to change login credentials. People who are truly security
conscious may want to change passwords a second time if they notice a
patched site later updates its digital certificate.
In the meantime, readers should steer clear of Yahoo Mail and any other
sites that are still running vulnerable versions of OpenSSL. The login
credential you save may be your own.
clowns who are totally incompetent. Wihness the destruction of Yahoo
Groups' message archives and the dumbed-down and nearly unusable NEO
interface that infected Yahoo Groups mid-August 2013. And, of course,
Yahoo Email is one of the longest-running jokes on Earth far surpassing
AOL's clown circus. You'd be well-advised to abandon Yahoo and Yahoo
Mail immediately.
Another article from ARS Technica entitled:
Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
is here:
http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/
Lest readers think "catastrophic" is too exaggerated a description for
the critical defect affecting an estimated two-thirds of the Internet's
Web servers, consider this: at the moment this article was being
prepared, the so-called Heartbleed bug was exposing end-user passwords,
the contents of confidential e-mails, and other sensitive data belonging
to Yahoo Mail and almost certainly countless other services.
The two-year-old bug is the result of a mundane coding error in OpenSSL,
the world's most popular code library for implementing HTTPS encryption
in websites, e-mail servers, and applications. The result of a missing
bounds check in the source code, Heartbleed allows attackers to recover
large chunks of private computer memory that handle OpenSSL
processes. The leak is the digital equivalent of a grab bag that hackers
can blindly reach into over and over simply by sending a series of
commands to vulnerable servers. The returned contents could include
something as banal as a time stamp, or it could return far more valuable
assets such as authentication credentials or even the private key at the
heart of a website's entire cryptographic certificate.
Underscoring the urgency of the problem, a conservatively estimated
two-thirds of the Internet's Web servers use OpenSSL to
cryptographically prove their legitimacy and to protect passwords and
other sensitive data from eavesdropping. Many more e-mail servers and
end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant
messages, and other sensitive data. OpenSSL developers have released
version 1.0.1g that readers should install immediately on any vulnerable
machines they maintain. But given the stakes and the time it takes to
update millions of servers, the risks remain high. Enter Yahoo Mail
For an idea of the type of information that remains available to anyone
who knows how to use open source tools like this one, just consider
Yahoo Mail, the world's most widely used Web mail service. The images
below were recovered by Mark Loman, a malware and security researcher
with no privileged access to Yahoo Mail servers. The plaintext passwords
appearing in them have been obscured to protect the Yahoo Mail users
they belong to, a courtesy not everyone exploiting this vulnerability is
likely to offer. To retrieve them, Loman sent a series of requests to
servers running Yahoo Mail at precisely the same time as the credentials
just happened to be stored—Russian roulette-style—in Yahoo memory.
Hackers can repeat the process over and over on unpatched servers and
then use freely available software to scan the results for all kinds of
sensitive data. In theory, attackers may also be able to query client
machines running OpenSSL-powered software to retrieve large chunks of
sensitive memory, too. (Private) keys to the kingdom
The huge number of servers running software vulnerable to Heartbleed
exploits isn't the only thing that makes patching difficult. That's
because one of the crucially sensitive pieces of information potentially
exposed by the vulnerability is the private key that corresponds to a
website's digital certificate. Attackers who get access to the private
key can use it to impersonate a site even after the OpenSSL patch is
applied. What's more, for sites that don't use a cryptographic property
known as perfect forward secrecy, attackers might be able to use the key
to decrypt data already sent. And of course, any sensitive data
transmitted between the time the flaw was discovered and when it was
patched remains potentially compromised.
All of this means that applying the OpenSSL patch is only the starting
point on the multi-step path of Heartbleed recovery. Website operators
should strongly consider replacing their X.509 certificates after
applying the update and getting all users and administrators to change
passwords as well. While it's possible that none of this data has been
compromised, there's no way to rule it out, either.
It's probably premature for users to replace passwords across the board,
but for sites they know have received the OpenSSL patch, it may be a
good idea to change login credentials. People who are truly security
conscious may want to change passwords a second time if they notice a
patched site later updates its digital certificate.
In the meantime, readers should steer clear of Yahoo Mail and any other
sites that are still running vulnerable versions of OpenSSL. The login
credential you save may be your own.